AppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager

Transcription

1 APPLICATION SECURITY SERVICES AppScan Deployment Colin Bell Applications Security Senior Practice Manager Copyright 2017 HCL Products & Platforms

2 The Evolution of Devops Continuous Integration / Continuous Delivery DevOps Extreme Prototyping / Programming AGILE Development RAD/JAD Rapid Application Development Joint Application Development 1980 s - Evolutionary Prototyping 1980 s - Throwaway Prototyping Prototyping 1960s - Monolithic Software Development

3 3 6/19/18

4 What are DevOps all about? The collaboration of Development and IT Operations. Its goal is Automation of the Software Delivery processes. Releasing software quickly and reliably. Development DevOps Continuous Delivery IT Operations Where does testing fit into this model? How do we maintain security of the applications? 4 6/19/18

5 What are DevOps all about? Testing is overcome by introducing QA into the model. An emphasis is on automation of the QA process through tooling. Development Acceptance Test Quality DevOps Continuous Delivery However Security is still not part of most DevOps models. (minor mention on the wiki Definition Page) Security is an afterthought! Quality Assurance IT Audit & Governance IT Operations 5 6/19/18

6 What are DevOps all about? Security needs to play a part for DevOps to truly work. However, it can t be a barrier to the objectives of DevOps. Tooling and Automation is essential Development Acceptance Test QA Security Test Continuous Delivery Security Build Automation Secure Quality DevOps Security Application Pen Test Security Operations (ISOC) Network Pen Test Are Organizations capable of reaching this?? Quality Assurance IT Audit & Governance IT Operations 6 6/19/18

7 Which Life Cycle? 7 6/19/18

8 SDLC - The Waterfall Approach Requirements Design STATIC ANALYSIS (Dev) IBM Security (SAST) Code & Unit Test DYNAMIC ANALYSIS (QA) IBM Security (DAST) Integration PENETRATION TEST (Security) (SAST) IBM Security AppScan Standard (DAST) Manual Testing System Test

9 SDLC DevOps suggests an Agile Approach (SAST) (Filtering on High Confidence) Daily Review SPRINT 2-3 weeks (SAST) (DAST) Product Backlog Sprint Backlog Iteration Product Shipping PENETRATION TEST (Security) (SAST) AppScan Standard (DAST) Manual Testing

10 SDLC - The Agile-Fall Approach This is the reality for most.is it any different to waterfall? Requirements Design (SAST) Integration DYNAMIC ANALYSIS (QA) (DAST) System Test PENETRATION TEST (Security) (SAST) AppScan Standard (DAST) Manual Testing

11 Application Security Maturity Operational Excellence Unaware Awareness Phase Internal Pen Testing Application Security Gates Vulnerability Reporting Internal Assessments Corrective Phase Code based Assessments Build integration Automation Security Gate / Pen Testing Application Risk Management Some Levels of Automation Developer IDE Scanning Devops Integration Build integration Automation Pass Fail Gates for CI Gate QA Security Testing Security Gate / Pen Testing Application Risk Management Repeatable Process No Application Security Program Source: If applicable, describe source origin

12 Increase SDLC testing to increase maturity Unaware Awareness Phase Corrective Phase Operations Excellence Phase Security Maturity Development Appscan Source QA Team Appscan Enterprise Development Appscan Source Appscan Enterprise QA Team Appscan Enterprise Security Team Security Team Security Team Appscan Standard Appscan Standard Appscan Standard Manual Pen Test Manual Pen Test Manual Pen Test Doing Nothing Ad Hoc Testing Testing Before Deployment Testing Throughout SDLC TIME

13 Example: Assessing application security risk with AppScan Application Name IT Help Product catalog Travel Reservation Online store Description Internal IT help Online product catalog Internal employee travel reservation Online store Exposure Internal External Internal External Stores sensitive information No No Yes Yes PCI compliance No No Yes Yes Business impact Low Medium High Critical Security assessment policy (based on Business Impact) Vulnerability Pre Prod Scan Annual Prod Test 2 Med: Session identifier not updated Code Scan on Builds Pre Prod Scan Manual Pen test Annual Prod Test Dev Code Scanning Code Scan on Builds QA Dynamic Scan Pre Prod Scan Manual Pen test Bi-Annual Prod Test Dev Code Scanning Code Scan on Builds QA Dynamic Scan Pre Prod Scan Manual Pen test External Security Test Quarterly Prod Test 2 High: SQL Injection 1 Med: Open redirect 1 High: SQL Injection Risk rating = Business Impact x Vulnerability Low High Medium Very High

14 DAST Deployment Models 14 6/19/18

15 The Life Cycle of an Application (DAST) CODE BUILD QA SECURITY PRODUCTION Development Gate QA Gate Security Gate Developers Quick Scans Continuous Integration DAST Automation Automated Scans Application Only Test Policy AppScan Standard Dynamic Scans Complete Test Policy Manual Pen Testing Internal & External testing Input Control Test Policy Developers & QA Testers Dynamic Scans Ad Hoc Testing Application Only Test Policy Security Champion Pen Testing deep dive review of application Gate Conditions Developer self Scan Optional gate Self assessment Gate Conditions All High & Medium risk Application issue resolved All Input Validation issues resolved Gate Conditions All High risk issue resolved All Medium risk issues > 30 days resolved Any Low risk issues > 90 days resolved

16 Dynamic Analysis Phase 1 Security Centric / Pen Testing Web Application(s) Conduct Scans AppScan Standard Desktop Client Triage findings & Results Verification PDF Reports Security Team AppScan Standard Conduct Scans, compliance reports Complete Full Coverage Test Policy Findings Summary & Compliance Reports PDF Reports Detailed Findings Report Development Teams Manual Pen Test Managers

17 Dynamic Analysis Phase 2 Enterprise Reporting Web Application(s) Conduct Scans AppScan Standard Server Desktop Client Enterprise Reporting User Administration Triage findings & Results Verification AppScan Enterprise DB Publish AppScan Standard Results Security Team AppScan Standard & Dynamic User Conduct Scans, ASE Administration, Create enterprise level metrics, trending and compliance reports Complete Full Coverage Test Policy Manual Pen Test Publish manual findings (CSV file)

18 Dynamic Analysis Phase 2 Enterprise Reporting Web Application(s) Conduct Scans AppScan Standard Server Desktop Client Enterprise Reporting User Administration Triage findings & Results Verification AppScan Enterprise DB Publish AppScan Standard Results Application Management Dashboards & Reports Security Team AppScan Standard & Dynamic User Conduct Scans, ASE Administration, Create enterprise level metrics, trending and compliance reports Complete Full Coverage Test Policy Manual Pen Test Publish manual findings (CSV file) Managers Reporting View enterprise level metrics, Application Management and compliance reports

19 Dynamic Analysis Phase 2 Enterprise Reporting Web Application(s) Conduct Scans AppScan Standard Server Desktop Client Enterprise Reporting User Administration Triage findings & Results Verification AppScan Enterprise DB Publish AppScan Standard Results Application Management Dashboards & Reports Manage Issues Security Team AppScan Standard & Dynamic User Conduct Scans, ASE Administration, Create enterprise level metrics, trending and compliance reports Complete Full Coverage Test Policy Manual Pen Test Publish manual findings (CSV file) Managers Reporting View enterprise level metrics, Application Management and compliance reports Review Results Development Teams manage issues, review findings

20 Dynamic Analysis Phase 3 Advanced Scanning & Reporting Web Application(s) Conduct Scans Conduct Scans Run on-demand or Scheduled Scans Headless & Automated Scans Dynamic Analysis Scanners Scan results AppScan Standard Server Desktop Client Enterprise Reporting User Administration Triage findings & Results Verification AppScan Enterprise DB Publish AppScan Standard Results Application Management Dashboards & Reports Manage Issues Security Team AppScan Standard & Dynamic User Conduct Scans, ASE Administration, Create enterprise level metrics, trending and compliance reports Complete Full Coverage Test Policy Manual Pen Test Publish manual findings (CSV file) Managers Reporting View enterprise level metrics, Application Management and compliance reports Review Results Development Teams manage issues, review findings

21 Dynamic Analysis Phase 4 Introduce QA Security Testing Web Application(s) Conduct Scans AppScan Standard Desktop Client Conduct Scans Run on-demand or Scheduled Scans Headless & Automated Scans Enterprise Reporting Dynamic Analysis Scanners Scan results Server User Administration Run on-demand or Scheduled Scans Review Results Manage Issues QA Teams Dynamic User Configure & Conduct Scans, manage issues, review findings Application Test Policy Triage findings & Results Verification AppScan Enterprise DB Publish AppScan Standard Results Application Management Dashboards & Reports Manage Issues Security Team AppScan Standard & Dynamic User Conduct Scans, ASE Administration, Create enterprise level metrics, trending and compliance reports Complete Full Coverage Test Policy Manual Pen Test Publish manual findings (CSV file) Managers Reporting View enterprise level metrics, Application Management and compliance reports Review Results Development Teams manage issues, review findings

22 Dynamic Analysis Phase 5 Full Enterprise wide testing Conduct Scans Web Application(s) Conduct Scans AppScan Standard Desktop Client Triage findings & Results Verification Conduct Scans Run on-demand or Scheduled Scans Headless & Automated Scans Enterprise Reporting Server AppScan Enterprise DB Dynamic Analysis Scanners Scan results User Administration Run on-demand or Scheduled Scans Review Results Manage Issues Scan results QA Teams Dynamic User Configure & Conduct Scans, manage issues, review findings Application Test Policy Dynamic Analysis Scanners Publish AppScan Standard Results Application Management Dashboards & Reports Manage Issues Run Quick Scans Security Team AppScan Standard & Dynamic User Conduct Scans, ASE Administration, Create enterprise level metrics, trending and compliance reports Complete Full Coverage Test Policy Manual Pen Test Publish manual findings (CSV file) Managers Reporting View enterprise level metrics, Application Management and compliance reports Review Results Development Teams Dynamic User Run Quick Scans, manage issues, review findings Limited / Input Control Test Policy

23 Dynamic Analysis Enterprise DAST Evolves over time Conduct Scans Web Application(s) Conduct Scans AppScan Standard Desktop Client Triage findings & Results Verification Conduct Scans Run on-demand or Scheduled Scans Headless & Automated Scans Enterprise Reporting Server AppScan Enterprise DB Dynamic Analysis Scanners Scan results User Administration Run on-demand or Scheduled Scans Review Results Manage Issues Scan results QA Teams Dynamic User Configure & Conduct Scans, manage issues, review findings Application Test Policy Dynamic Analysis Scanners Publish AppScan Standard Results Application Management Dashboards & Reports Manage Issues Run Quick Scans Security Team AppScan Standard & Dynamic User Conduct Scans, ASE Administration, Create enterprise level metrics, trending and compliance reports Complete Full Coverage Test Policy Manual Pen Test Publish manual findings (CSV file) Managers Reporting View enterprise level metrics, Application Management and compliance reports Review Results Development Teams Dynamic User Run Quick Scans, manage issues, review findings Limited / Input Control Test Policy

24 DAST Scanning Automation / Scan and Review Continuous Integration DAST Automation Application Only Test Policy Managers View Application Metrics Security Team are Champions Automation from Functional testing tools Web Application(s) Conduct Scans Application Security Management Reports & dashboards Dynamic Analysis Scanners Scan results SQL Server DB Security Team Create Policy Scan Applications Approve Findings Complete Test Policy Run detailed Scans Run on-demand or Scheduled Scans Developers & QA Scan Applications Review Findings Input Only Test Policy Review Results Approve Results Integration with QA testing tools for DAST Automation Regular scans can be conducted after every build or at strategic points such as the end of a sprint. QA conduct scans for Ad Hoc Testing Security team provide deep dive scanning in conjunction with manual pen testing Regular management metrics

25 DAST Process High Level Scan Validate Release Remediate Security IRMD - Set Goals for AVA scans - Approve authorisation - Govern AVA scanning schedule - Annual Review and Incident Response Application On- Boarding (configure and execute scan) AVA Scan Results Triage -Review trend -Determine security priorities -Evaluate Risk Reported Findings - Validate scan results - Verify fixes - Share results with HODs AVA scan findings remediated? Yes Code cleared for release App Lead AVA New Application Scan Configuration Completed Scan No Assign Remediation Tasks Developers Provide Application Details & Function Flows Review Findings Correct Code to Fix Vulnerabilities LEGEND Security App Lead Developer Infra

26 SAST Deployment Models 26 6/19/18

27 The Life Cycle of an Application (SAST) CODE BUILD QA SECURITY PRODUCTION CI - Development Gate Security Gate Continuous Integration IFA For Automation IFA Delta Findings For Analysis Periodic deep dive review of application Security Champion IFA For Analysis Onboard application using IFA to establish baseline Security Champion Gate Conditions Build process controls Pass / Fail IFA Delta Scans (only new issues reported) Gate Conditions All High risk issue resolved All Medium risk issues > 30 days resolved Any Low risk issues > 90 days resolved

28 CASE 1 Initial Distributed Model Application Security Management Reports & dashboards Managers Reporting View Application Metrics Manage Risk AppScan Source DB One Champion per Development team (10 in total) Developers For Remediation Open Assessments Fix Findings Administration (Access) Publish Assessments Create Shared configuration Files Create Shared filters (Security Policy) Markup Management Resolve lost sinks Identify lost sources Create custom rules Assessment Data (Bundles) Lead Developer Champion(s) Security Team For Analysis Scan (full coverage) Onboard Applications Conduct Scans For Analysis Review assessments Approve scan results Triage scan results Source Code & Dependencies Key objective was to get development teams scanning Security team not part of the process - IBM performed this role initially Management Metrics and Risk scoring were unclear Each team used different SDLC approaches Lots of Legacy code in scope

29 Should All Data be Trusted? Consider the interactions with one central Database 3 rd Party Application(s) Unknown Central Client Policy Database New Business Application.NET Untrusted Data Trusted Data Sanitize Data Trusted Data Trusted Data This data should NOT be trusted Reporting Application JAVA Trusted Data Middleware Unsanitized Return Data Trusted Data Mobile Application Android & ios Number Cruncher COBOL Customer Statements JAVA 29 6/19/18

30 CASE 2 Automation as a priority AUTO Publish Findings Application Security Management Reports & dashboards Managers / PCI Auditor Reporting View Application Metrics No Security Champions in place AppScan Source DB Build Server For Automation Scan (Auto) Config / Filter (Baseline Policy) Security Team For Analysis Create Policy / Baseline Review assessments Network Share Assessment Results Integration with Build Process (Jenkins Maven - CLI) Developers For Remediation Open Assessments Fix Findings Conduct Scans Source Code & Dependencies DevOps focused on automation and tooling Results and findings are less important than getting the scans run on a regular basis Full on-boarding of applications to be done at a later phase Education to Developers on secure coding also earmarked for a later phase

31 CASE 3 Developer Scanning Application Security Management Thousands of Developers No Security Champions in place AppScan Source DB Extract scan metrics Auto communicates scan statistics to server Developers For Development Scan Applications and Projects Fix Findings Administration Maintain users Maintain Application Management Scan Results Scan Metrics and usage Stats Conduct Scans Security Team For Analysis Create Policy / Baseline Review assessments Network Share Shared Scan configuration Files Shared Scan filters (Security Policy) Shared Scan Markup settings configuration, filters and updates pushed to developers workstations (end point management) Source Code & Dependencies Priority to get security scanning to each and every developer Very small Security team with minimal global reach Results not being reviewed by Security Metrics based on who has the software installed and who has run a scan Developers confused as to why this is happening Findings and risk a lower priority

32 CASE 3 DevOps CI Pipe expansion Developer Assisted Tooling Security Assurance Design & Plan CODE CI & BUILD TEST RUN Senior Developers SAST IDE Scanning For Development Scan Applications and Projects Interactive Application Security Test (IAST) Runtime Application Self Protection (RASP) SECURITY Self Service Portal Security Audit Security Team For Automation Submitted Application Code and Dependencies SAST Automation Portal Reporting Security Champions For Analysis Create Scan configuration Files Create Scan filters Markup Rules for applications

33 CASE 4 SAST Automation and Security Testing AUTO Publish Findings Application Security Management Reports & dashboards Managers Reporting View Application Metrics AppScan Source DB Security Team are Champions Each application scanned By Security team to ensure full coverage Build Server For Automation Scan (Auto) Custom rules (Application Policy) Markup Management Ensure Scan Coverage IFA Security Team For Analysis Create Policy / Baseline Scan applications Markup to ensure coverage Integration with Build Process (TFS - CLI) Network Share Assessment Results Developers For Remediation Open Assessments Fix Findings Conduct Scans Conduct Scans Source Code & Dependencies Security Team working through applications to onboard them Developers get results from the Security team and then set priorities Automation used to maintain steady state scanning On Premise Auto Triage (IFA) is used to speed up the triage process

34 - The Security Life Cycle of an Application IFA enhances continuous testing 34 6/19/18

35 Cognitive computing applied to security vulnerability analysis Machine learning with Intelligent Findings Analytics IFA * Now Available on Premise! Fast AppScan SAST results Intelligent Findings Analytics Fully automated review of scan findings Trained by IBM/HCL Security Experts Early and repeatable vulnerability analysis drives cost reduction for fixes 1 Learned results Reduce false positives Minimize unlikely attack scenarios Provide fix recommendations that resolve multiple vulnerabilities ** NOTE : Only available with Automation License

36 The Life Cycle of an Application (SAST) CODE BUILD QA SECURITY PRODUCTION CI - Development Gate Security Gate Continuous Integration IFA For Automation IFA Delta Findings For Analysis Periodic deep dive review of application Security Champion IFA For Analysis Onboard application using IFA to establish baseline Security Champion Gate Conditions Build process controls Pass / Fail IFA Delta Scans (only new issues reported) Gate Conditions All High risk issue resolved All Medium risk issues > 30 days resolved Any Low risk issues > 90 days resolved

37 Phase 1 : Application On Boarding Security Team are Champions Application Security Management Reports & dashboards AppScan Source DB Markup Management Maintain Confi & Filters Add missing Sources Resolve genuine Lost Sinks Ensure Scan coverage Each application is scanned by Security team Review conducted to ensure full coverage 1. Identified any Missing Sources 2. Resolve Lost Sinks to help resolve Scan Coverage exceptions 3. Mark only Genuine Sinks 4. Scan with a config that will automatically mark all remaining lost sinks as a taint propagators. Maximising the data flow. Security Team For Analysis Create Config / Filters Scan applications Rescans Markup to ensure coverage Conduct Scans Source Code & Dependencies

38 Phase 1 : Application On Boarding Security Team are Champions Application Security Management IFA Original OZASMT IFA Triage IFA- Delta Network Share Assessment Results The deeper triage of findings is conducted using Intelligent Findings Analytics (IFA) IFA to focus on Actionable findings IFA also used to provide delta reports. This initial cycle formulating the baseline Reports & dashboards AppScan Source DB Markup Management Maintain Confi & Filters Add missing Sources Resolve genuine Lost Sinks Ensure Scan coverage Security Team For Analysis Create Config / Filters Scan applications Markup to ensure coverage Conduct Scans Source Code & Dependencies

39 Phase 1 : Application On Boarding Security Team are Champions The initial IFA Triage scan results are reviewed with the development team Application Security Management IFA Original OZASMT IFA Triage IFA- Delta Network Share Assessment Results Reports & dashboards AppScan Source DB Markup Management Maintain Confi & Filters Add missing Sources Resolve genuine Lost Sinks Ensure Scan coverage Developers For Remediation Open Assessments Fix Findings Security Team For Analysis Create Config / Filters Scan applications Markup to ensure coverage Conduct Scans Source Code & Dependencies

40 Phase 1 : Application On Boarding Security Team are Champions Application Security Management Reports & dashboards AppScan Source DB Markup Management Maintain Confi & Filters Add missing Sources Resolve genuine Lost Sinks Ensure Scan coverage IFA Original OZASMT IFA Triage IFA- Delta Network Share Assessment Results Developers For Remediation Open Assessments Fix Findings The initial IFA Triage scan results are reviewed with the development team The development team may choose to filter additional findings where data points can be trusted. The remainder are then assigned as defects to be corrected. Security Team For Analysis Create Config / Filters Scan applications Markup to ensure coverage Issue to Filter Fix code Conduct Scans Source Code & Dependencies

41 Phase 1 : Application On Boarding Security Team are Champions Application Security Management Reports & dashboards AppScan Source DB Publish Baseline Assessment Markup Management Maintain Confi & Filters Add missing Sources Resolve genuine Lost Sinks Ensure Scan coverage IFA Original OZASMT IFA Triage IFA- Delta Network Share Assessment Results Developers For Remediation Open Assessments Fix Findings The initial IFA Triage scan results are reviewed with the development team The development team may choose to filter additional findings where data points can be trusted. The remainder are then assigned as defects. A final scan is conducted and the results published as the baseline findings. Managers Reporting View Application Metrics Security Team For Analysis Create Config / Filters Scan applications Markup to ensure coverage Issue to Filter Fix code Conduct Scans Source Code & Dependencies

42 Phase 2 : Build Integration Security Team are Champions Application Security Management Reports & dashboards Managers Reporting View Application Metrics AppScan Source DB Build Server For Automation Publish Delta Assessment Scan (Auto) IFA Security Team For Analysis Update Config / Filters Integration with Build Process (Jenkins - CLI) Develop CLI Script to Scan, Run IFA and Publish via Build Conduct Scans Source Code & Dependencies With the application on boarded, CLI scripts can be developed to initiate the scan from the Build Cycle. Post build Script called from CI environment such Jenkins or TFS Script will scan the application run IFA and publish the delta results

43 Phase 3 : On Going Scan and Review Security Team are Champions Application Security Management Reports & dashboards Managers Reporting View Application Metrics AppScan Source DB Build Server For Automation Publish Delta Assessment Markup Management Modify Filters Scan (Auto) IFA Security Team For Analysis Update Config / Filters Issue to Filter Integration with Build Process (Jenkins - CLI) Original OZASMT IFA Triage IFA- Delta Network Share Assessment Results Developers For Remediation Open Assessments Fix Findings Fix code Conduct Scans Source Code & Dependencies Automation of the application is complete Regular scans can be conducted after every build or at strategic points such as the end of a sprint. Delta reports from the baseline report on only newly found issues Security team role is reduced to approving filter alterations

44 Phase 4 : Periodic Full Review Security Team are Champions Application Security Management Reports & dashboards AppScan Source DB Markup Management Add missing Sources Resolve genuine Lost Sinks Review excluded findings Mark no-trace findings IFA Network Share Assessment Results Developers For Remediation Open Assessments Fix Findings Security team provides periodic reviews of the application These reviews are needed to assess the rules written, the scan exclusions and investigate the scan coverage These reviews enhance the mark up of the application Provides a deeper level of analysis Security Team For Analysis Update Config / Filters Scan applications Markup to ensure coverage Issue to Filter Fix code Conduct Scans Source Code & Dependencies

45 Triage with IFA Suggested Workflow Security Analyst Lead Developer / Champion Developer Maintain Users Conduct Normal Scan Conduct Scan from IDE (optional) Define Scan Policies Any Scan Coverage Issues? No Conduct Auto Taint Propagation Scan Analyze Reported findings Periodically Review Scan Results Yes Maintain Scan Metrics Create Custom Rules (for sources and genuine Sinks) Filter False Positive (using pre scan filter) Manually Run IFA in Triage Mode Publish IFA Findings to ASE Is Finding Genuine? Yes Fix Finding No Report Findings

46 Application SAST Timeline Time spent for every 250K lines of Code (Hours) On Boarding Activities Build Integration Steps OnGoing Scan and Review Periodic Full Application SAST Review

47 - The Security Life Cycle of an Application ASoC Scanning and Enablement 47 6/19/18

48 Application Security on Cloud (ASoC) Dynamic Analysis Static Analysis Mobile Analysis Open Source Analysis

49 ASoC Application Security Gates Multiple Gates CODE BUILD QA SECURITY PRODUCTION CI - Development Gate QA Gate Security Gate Continuous Integration SAST Automation DAST Automation PEN Testing Ad Hoc Scanning Mobile Scanning DAST SAST Open Source IDE SAST Scanning Developers Developers Developers & QA Testers Security Champion Pen Testing Gate Conditions Build process controls Pass / Fail Must pass organizations BASELINE Filter Gate Conditions All High & Medium risk Application issue resolved All Input Validation issues resolved Gate Conditions All High risk issue resolved All Medium risk issues > 30 days resolved Any Low risk issues > 90 days resolved

50 ASoC Scanning Automation / Scan and Review Managers View Application Metrics Use a single console for managing application risk, test results, reporting and policies DAST Automation Automation from Functional testing tools Continuous Integration Web Application(s) Conduct Scans SAST Automation IRX (intermediate Representation of code) IDE Scans Run Mobile Scans Security Team Create Policy Scan Applications Approve Findings Developers Scan Applications Review Findings Mobile Interactive testing of a Mobile binary Integration with CI testing tools for DAST & SAST Automation Regular scans can be conducted after every build or at strategic points such as the end of a sprint. Open Source Analysis on all scans Mobile Scanning Analysis Regular management metrics

51 Questions??? 51 6/19/18